c061c96731078f03bfee42a84070cd6f4319a99e2eb17c3e730967152646b570

Resubmissions

03-07-2024 15:25

240703-stqqgswapb 3

03-07-2024 15:19

240703-sqgy6svfqh 3

Analysis

max time kernel
69s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExecutableScriptsLabel.exe
Size

36.1MB
MD5

65f340057b5ecd866c624f3c93a33c61
SHA1

32c66b6bda9eeb80421268ef460545ed3cdaeab8
SHA256

c061c96731078f03bfee42a84070cd6f4319a99e2eb17c3e730967152646b570
SHA512

8fce464f5a1620451c26ebc817810bf6000f61d47409bd8e5c4b91c8c7552ceea9aeb1ffa11d531cf65ecc96f6e67ff9b9cfeef09464b563314c1cff2b0c3dde
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfp:fMguj8Q4Vfv0qFTrYH

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
2060	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1808	powershell.exe
1808	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe
Token: SeManageVolumePrivilege	1116	WMIC.exe
Token: 33	1116	WMIC.exe
Token: 34	1116	WMIC.exe
Token: 35	1116	WMIC.exe
Token: 36	1116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe
Token: SeManageVolumePrivilege	1116	WMIC.exe
Token: 33	1116	WMIC.exe
Token: 34	1116	WMIC.exe
Token: 35	1116	WMIC.exe
Token: 36	1116	WMIC.exe
Token: SeDebugPrivilege	2060	taskkill.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 516	2592	ExecutableScriptsLabel.exe	94
PID 2592 wrote to memory of 516	2592	ExecutableScriptsLabel.exe	94
PID 516 wrote to memory of 4000	516	cmd.exe	95
PID 516 wrote to memory of 4000	516	cmd.exe	95
PID 516 wrote to memory of 1808	516	cmd.exe	96
PID 516 wrote to memory of 1808	516	cmd.exe	96
PID 1808 wrote to memory of 1116	1808	powershell.exe	97
PID 1808 wrote to memory of 1116	1808	powershell.exe	97
PID 1808 wrote to memory of 2060	1808	powershell.exe	99
PID 1808 wrote to memory of 2060	1808	powershell.exe	99

C:\Users\Admin\AppData\Local\Temp\ExecutableScriptsLabel.exe
"C:\Users\Admin\AppData\Local\Temp\ExecutableScriptsLabel.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\cmd.exe
  cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\ad01e643dfb1e68e9480973cafc758b1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\findstr.exe
    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\ad01e643dfb1e68e9480973cafc758b1.bat"
    3⤵
    PID:4000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\System32\Wbem\WMIC.exe
      "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1116
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3376,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
1⤵
PID:3916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01pflyae.bkf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad01e643dfb1e68e9480973cafc758b1.bat

Filesize
3.4MB

MD5
5eb1a9aaf85061d289df8c1365162da1

SHA1
4ecda126d9d5c4a95404cefeb978bf34fb5b4c4b

SHA256
3f2fa9af7417b0a5f96b91cb957a5e60ff48f8f554c60a114a000ef5fe90fafe

SHA512
fea9efa4f3ffec4cfc2cb97939e5ef6a753a57f01ce16f81add7a4286bab3672ab645f230b613e5d104ae35d66371e20a538582bbaf933626cc57831f0b10b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotNFDkQn.bat

Filesize
199B

MD5
aac1be3594c6c387fc97e3175e3f4c10

SHA1
46e4e5ac11b012b7e2dfd11937bb0642e7f6d000

SHA256
f1d34cb18c7256a00fbb1f1d311ca987cb785c772856e87b1e9a8f235946a12d

SHA512
0ea2a02ff22f98b69efb6e8912803577d5d029abdb04da3d7cc2473e8351e2524ab7fbfe9aa79889b3f9bad13f09a6d3dab61863cad069b6894132138dbf01ee

Download Submit
memory/1808-14-0x00007FFC78843000-0x00007FFC78845000-memory.dmp

Filesize
8KB

Download
memory/1808-20-0x000002586F850000-0x000002586F872000-memory.dmp

Filesize
136KB

Download
memory/1808-25-0x00007FFC78840000-0x00007FFC79301000-memory.dmp

Filesize
10.8MB

Download
memory/1808-26-0x00007FFC78840000-0x00007FFC79301000-memory.dmp

Filesize
10.8MB

Download
memory/1808-29-0x00007FFC78840000-0x00007FFC79301000-memory.dmp

Filesize
10.8MB

Download